NSA and GCHQ infecting computers with malware


Ryan Gallagher and Glenn Greenwald writing at The Intercept reveal (based on documents provided by Edward Snowden) the latest criminal scheme by the NSA and GCHQ called the TURBINE initiative that involves infecting millions of computers worldwide with malware.

Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.

The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.

The covert infrastructure that supports the hacking efforts operates from the agency’s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic.

In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer’s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.

The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”

The system has been in operation since 2010 and may already have infected up to 100,000 computers and uses various types of implants.

One implant, codenamed UNITEDRAKE, can be used with a variety of “plug-ins” that enable the agency to gain total control of an infected computer.

An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer’s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer’s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.

The implants can enable the NSA to circumvent privacy-enhancing encryption tools that are used to browse the Internet anonymously or scramble the contents of emails as they are being sent across networks. That’s because the NSA’s malware gives the agency unfettered access to a target’s computer before the user protects their communications with encryption.

This technology uses both ‘man-on-the-side’ and ‘man-in-the-middle’ techniques to infiltrate systems.

In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.

A man-in-the-middle attack is a similar but slightly more aggressive method that can be used by the NSA to deploy its malware. It refers to a hacking technique in which the agency covertly places itself between computers as they are communicating with each other.

This allows the NSA not only to observe and redirect browsing sessions, but to modify the content of data packets that are passing between computers.

The man-in-the-middle tactic can be used, for instance, to covertly change the content of a message as it is being sent between two people, without either knowing that any change has been made by a third party. The same technique is sometimes used by criminal hackers to defraud people.

There may be those who still argue that all this is necessary to protect us from terrorists, that all-purpose excuse for government abuses. But it should be well understood that any sophisticated malware system that is developed and used by the government can just as easily be detected and adapted by those who wish to use it for either purely criminal ends or or mischief. Once you let loose this sophisticated malware and its associated delivery systems into the internet, you lose control of it.

Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure, calls the revelations “disturbing.” The NSA’s surveillance techniques, he warns, could inadvertently be undermining the security of the Internet.

“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”

Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be “out of control.”

According to Matt Blaze, a surveillance and cryptography expert at the University of Pennsylvania, it appears that the QUANTUMHAND technique is aimed at targeting specific individuals. But he expresses concerns about how it has been covertly integrated within Internet networks as part of the NSA’s automated TURBINE system.

“As soon as you put this capability in the backbone infrastructure, the software and security engineer in me says that’s terrifying,” Blaze says.

“Forget about how the NSA is intending to use it. How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?”

While the targets are ostensibly terrorists, they are not exclusively so. They have also been targeting system administrators at companies because those people are the gateway to other people working there and thus can be used for industrial and political espionage (as was the case with Brazilian oil companies, Belgian telecommunications companies, and government ministries worldwide) and sabotage (as was the case with Stuxnet).

Comments

  1. Wylann says

    I wonder if your average anti-malware software will protect from that. I don’t have any computers with cameras or microphones hooked up to them, so half their software would be useless on me, but I think most laptops and tablets come with them built in these days.

    I wouldn’t be surprised if the NSA or similar agencies ran at least one porn site. I imagine the amount of traffic they could infect from there would be staggering.

  2. says

    Time to install Linux and then only browse the intertubes in a virtual machine.

    That won’t help if there’s a bus-mastering backdoor in the BIOS remote management layer.
    Some of the attacks NSA has been fielding run so far below the operating system that you’re pretty much welcome to do whatever you like with the CPU and memory. There were attacks similar to this demonstrated at CanSecWest 5 or 5 years ago, in which a buffer overrun in a smart phone’s antenna management chip was exploited, giving the attacker the ability to stripmine process memory out of the running kernel that was on the main CPU, all unbeknown to the kernel or even the CPU.

    Plug and Pray.

  3. grizzle says

    You have to navigate down about 30 paragraphs in the article to see the very revealing statement that there’s absolutely no evidence that this has actually been implemented…


    “It is unclear how many of the implants are being deployed on an annual basis or which variants of them are currently active in computer systems across the world”


    Once again Greenwald has confused the ability to do something with actually doing it.

  4. Nihilismus says

    @7 grizzle

    Greenwald and Snowden have built up a lot more credibility than the NSA. When each of their previous revelations have been proven true, or have not been denied (which the NSA usually tries to do), or have been explained by the NSA as “yeah, but we only do it against bad people” or “okay, some good people get caught up in it but that’s the price of freedom and safety” — well, I tend to give Greenwald and Snowden the benefit of the doubt.

  5. grizzle says

    @8 Nihilismus

    I disagree. Greenwald has pretty much ruined this story for me. Greenwald alone. He’s not a journalist. He’s a blogger. A lawyer. And he’s ‘technically illiterate’ (I hope he meant ‘technologically’) yet his entire scoop has been based on technology — and not just any technology either, but something fairly significant, to say the least.

    What has been proven true, exactly? Have you seen the stolen documents yourself? We don’t even know exactly how many documents were taken! All we have is reporting based on what is supposedly in these stolen documents. Just about all of it coming from one guy. At least Manning had the decency to drop everything for the people to look at. Greenwald on the other hand is just playing people and the media for everything they’re worth. Releasing tidbits here and there for the better part of a year now.

    Why does Greenwald feel the need to embellish all these details in his work? If the revelations are so damning on their own, why does he need to stretch the truth and pander fear so much — even outright lie?

    Take the article’s headline: “How the NSA Plans to Infect ‘Millions’ of Computers with Malware” and then look at what Mano has titled this blog post: “NSA and GCHQ infecting computers with malware”. Quite a striking difference there. Especially when you come across the quote buried in the article: “It is unclear how many of the implants are being deployed on an annual basis or which variants of them are currently active in computer systems across the world”

  6. Mano Singham says

    @grizzle #9,

    A few points in response:

    1. The NSA has already infected computers with malware. What they are planning to do is scale up what they have already done dramatically so that millions of computers can be infected. That should have been quite clear in that first passage I quoted:

    In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer’s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.

    The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps.

    So both the headlines you quote are correct. And your last quote (that is supposedly ‘buried’) does not contradict anything that came before. It is unclear how many have been unleashed.

    2. We do not have reporting from just one person. By now dozens of journalists around the globe (US, UK, Germany, Brazil, Spain, Canada, Belgium) have had access to different documents and have written stories about them.

    3. The reason that there has not been a document dump is because Snowden did not want one. He wanted journalists he trusted to vet the documents and redact any information that would be actually harmful to people. He wanted accountability and did not care about causing embarrassment. Those redacted documents have been released as part of the reporting. Haven’t you seen all the PowerPoint slides and other documents?

    4. Whatever you may think of Greenwald and his qualities, Snowden chose him and Laura Poitras because he felt that they could be trusted. I am not sure what your definition of ‘journalist’ or why that issue is even relevant.

  7. keresthanatos says

    Hi grizzle…… who do you work for? F.U.D. is a high art and you seem to be doing the game well. The only reason I ask is because I have been reading these blogs for several years and I haven’t seen your nym before.

  8. grizzle says

    I don’t feel the way Greenwald has reported his findings is the correct he way to go about covering a story of this size and scope. Greenwald is and always has been an opinion maker, not a journalist. I suppose this is no secret, he does carry himself as a bit of a renegade and that’s almost certainly a big part of what draws people to him. He is also a very gifted writer with a prodigious output. However, a story such as this one should not have been given to a opinion blogger to break the news. Greenwald has an agenda, that’s very clear. In many respects that agenda is simply being dead-set on trying to embarrass the US and UK governments at any given chance. It is true that other outlets have given this story coverage. But Greenwald makes the most noise about this and the majority of the secondary and amplified coverage of these leaks are based on his reporting. Now he has an entire web service dedicated to it. I can’t help but ponder how so many people have failed to see how and simultaneously not be slightly suspicious at how Greenwald has turned publishing stolen top-secret information into a commercial enterprise.

    All of this has me skeptical about the accuracy of the items he’s reporting on. He’s embellished, exaggerated, misrepresented and even outright lied on more than several occasions in his reporting on the subject. I just can’t help but wonder if he can’t get the tiniest details of some of his stories correct, how is one to assume that he’s correct on the larger, more complex and deeper details? If the stories are so groundbreaking, why does he need to exaggerate so often? Well it’s clear to me. Drum up fear, keep the clicks coming and ultimately profit. I myself work in IT, specifically network engineering and databases. It’s easy for me to tell when someone is out of their element when it comes to information systems. Greenwald does not have a background of any sort in these fields and he’s attempting to put into layman’s terms systems and computing that are very complex and robust and cannot be simply ‘boiled down’ while also capturing all the details that matter. It’s very easy to exaggerate something like this to a crowd of people who really have no idea how these systems really work.

  9. Mano Singham says

    @grizzle,

    You say that Greenwald has “embellished, exaggerated, misrepresented and even outright lied on more than several occasions in his reporting on the subject.”

    Those are strong allegations. Can you provide examples of each one, especially the “outright lied on more than several occasions”?

Leave a Reply

Your email address will not be published. Required fields are marked *